Extreme programming (XP) is an agile software development framework that aims to produce higher quality software and higher quality of life for the development team.
In 2003, one of the first controlled studies highlighted the benefits of extreme programming (XP) (Abrahamsson, 2003). This study showed how the extreme programming technique improved accuracy by 26% and productivity by 12 locs/hour.
And that was in 2003.
Today's development methods are considerably more efficient. Yet, they don't fully consider the role and importance of security. So, what's the point of an ultra-agile development process if its just going to turn up bugs later, and then require the team to cycle back, patch, re-launch, etc.
A better alternative? Securing code as early as possible.
Below are some techniques adopted from the extreme programming approach that benefit application security.
While there's endless ways to integrate security into your SDLC, we'll be focusing on three techniques:
Pair programming is having two developers work at the same workstation. They'll write, debug or explore code together, taking turns doing tasks. As one developer works, the other watches to observe, learn and support.
While not part of programming, continuous Integration is a growing favorite for teams that are scaling their code deployment and provides some great benefits to ensure security. In continuous integration, smaller code changes are immediately tested and added to a larger code base. It's an automated process where code changes from multiple contributors are merged into a single software project. Usually, continuous integration is also adopted alongside continuous delivery (CD), so that code is tested and shipped out in small, quality batches.
Test-first programming (also called test-first development) works in a cyclical process of automated unit tests to identify issues with code before writing it for production. The steps of this process are:
Extreme programming is one of the most specific frameworks, and can be great for any company that is considering adopting an agile methodology. However, security cannot be forgotten in the process. Security should be proactively considered in the methods that your organization adopts. Regardless if you are choosing to use experimental programming or an alternative method, you can reflect on the options above to imagine how security can be best integrated into your SDLC.
Abrahamsson, P., 2003. Extreme programming: first results from a controlled case study. Proceedings of the 20th IEEE Instrumentation Technology Conference (Cat No 03CH37412) EURMIC-03,.
Erdogmus, H., Morisio, M., & Torchiano, M. (2005). On the effectiveness of the test-first approach to programming. IEEE Transactions on Software Engineering, 31, 226-237.
Ge, X., Paige, R., Polack, F. and Brooke, P., 2007. Extreme Programming Security Practices. International Conference on Extreme Programming and Agile Processes in Software Engineering, [online] 4536, pp.226-230. Available at: <https://link.springer.com/chapter/10.1007/978-3-540-73101-6_42> [Accessed 16 September 2021].